Skip navigation

Category Archives: Certification

The Next Generation & Core Competencies for DFIR Analysts

This week I had the privilege of speaking with a group of Network Security students from ECPI University in Greenville, SC on the topic of what employers look for in hiring graduates into the information security field.

When I first outlined what I thought I wanted to share, I realized I focused too much on technology and not enough core competencies in the area of critical thinking and personal qualities.

As a result, I balanced my presentation and landed on what I hope to be a discussion on why competencies in these key areas (as well as basic skills) is the most important component of what employers seek when hiring new talent. My thought process here is that a great attitude combined with a good aptitude will compensate for a lack of hard technical skills and “real-world” experience.

While I have been involved in hiring several dozen people during my 26 years in the information technology / DFIR field, I still rely on the intangible “x-factor” in making those decisions.

Below is more narrow list of core competencies I presented to the students, it was derived from a compilation of books and information I’ve read over the years including Type Talk and other leadership authors.  Stay with me as I tie this all back to DFIR work.

Critical Thinking

  • Inquisitive
  • Creative Thinker
  • Reasoning
  • Decision Making
  • Problem Solving
  • Organizing and Planing

Decision making and reasoning involve gathering information, evaluating various solutions, and selecting the best option. Sounding like qualities a DFIR analyst needs?

Planning and organizing are also critical thinking skills. The ability to plan and organize means you will get tasks done and done correctly (with high efficiency too.)  A person who is well organized is prepared to do the job correctly the first time.

Creative thinkers come up with new ways of doing things that add value and serve customers/clients more efficiently. They offer new perspectives about the job at-hand. Again, I think these are key components in DFIR because no two DFIR situations are the same so having creative approaches to problems is an absolute necessity.

Finally, a lifelong learner will always be valued in the marketplace and to their clients because you become a linchpin when you continually evolve and educate yourself on new ways of tackling a “problem.”  The person who is receptive to learning new things and techniques will be more successful than the person who is afraid of learning new things.

Personal Qualities

  • Inquisitive ** (yes I think it’s that important)
  • Responsible and Accountable
  • Self Confidence
  • Self Control
  • Honesty and Integrity
  • Adaptable and Flexible
  • Well Groomed
  • Self Directed
  • Self Motivated

Among the Personal Qualities I would like to highlight include for current and up-and-comming DFIR analyst include:  Self-management or self control is the ability to manage your personal feelings and reactions to challenges on the job and in life.

Likewise having a strong value system with a reputation for honesty and personal integrity is key because a DFIR analyst may inadvertently discover information about others they rather not know or wish they had not seen.  The analyst must be beyond repute and trusted to not share that information. For that reason, I subscribe to the need stronger ethics reviews from the major certifying bodies.

Self Confidence is another key for the new DFIR analyst because one day they will be faced with defending their opinion or findings to their client, employer or Court of law. In those cases, the decision maker will likely read the body language of the analyst more than the written/spoken words. As we know some organizations train their agents on how to present information, findings and opinions to most effectively support their case. The private-hire examiner does not have this luxury and must seek “experience” through non-traditional methods. I took it upon myself to be coached by a couple of local attorneys (one civil; one criminal) on how to best present the relevant pieces of information to a court. I found this exercise eye-opening and used a recent opportunity to watch a couple of cases tried on In Session. (Boring?  Yes, perhaps, but for those non-legal type it is a good way to understand the flow of cases.)  Remember experience can come from any source; it is all about what you derive from the content you consume.

It might be argued that personal qualities of well groomed and self control are too obvious for this list; however, does any attorney want to see an unkept, unfiltered witness on the stand?  Likewise, I do not think an employer would desire such a personality for fear of the unknown potential harm to the organization.  It is not my intent to rationalize discrimination in any form or fashion, rather state the obvious. If someone wants to be taken seriously, they should present themselves in a serious manner.

I could write about each of the other core competencies I have put forward, however, I think you see where I was headed — DFIR analyst need more in their “bag” other than technology, tools and techniques; DFIR professionals must have the soft skills (that I suggest are core) to solving any DFIR problem.

Keep sharing….

Avenues to Entry into DFIR

Over the past few years several people have asked me what the best route would be to enter the Digital Forensics / Incident Response field.  While there is no best method, there may be one that works well for you. I know the path I took had it’s challenges – mainly of acceptance – because in a corporate-world most at a senior-level management roles did not want to believe that the DF role was necessary.  For some reason, the IR role was something easier for them to understand.  In the non-corporate world, I had zero law enforcement background so obtaining my first South Carolina SLED Private Investigator’s license was challenging to say the least.  It was not easy to find a current SC PI that (1) understood what DF was; (2) understood it’s value in a priviate investigation; and (3) could provide proper “oversight” as required by SLED in the field of DF.  Most PI’s in SC still conduct photographic or location-based surveillance of some sort and very few (in SC) are properly credentialed and experienced in the digital forensics field. For more information on Digital Forensic licensing in SC see my post from December 17, 2012.

This brings us to the topic of Avenues to Entry into Digital Forensics / Incident Response.  As I mentioned from the outset, I answer a several questions each month on how someone can enter the DF field; next month I will be speaking to a group of Network Security students at ECPI University about what employers are looking for in the network security field.  That topic will undoubtedly cross into the DFIR arena as they have  many commonalities.

Some criteria for becoming a successful DFIR investigator or examiner would include:

  • critical thinking;
  • methodical;
  • willing to ask questions;
  • have (or develop) an investigator’s mindset;
  • a will-to-learn;
  • willing to admit you don’t know it all, nor can you;
  • ability to maintain a personal network of like-minded DFIR individuals who you can bounce ideas of off;

Without regard to personal situations and the like, my typical number one response on how someone with little or no experience can inexpensively enter the DFIR filed is via the United States military cyber-divisions. In today’s tech-driven world, many military operations have a digital forensics component whether it be networks, computers, smartphone, “dumb”-phones, recordable media, etc. The US military is the ideal environment to train the highly experienced DFIR technician.  I look at it this way, if a solider can survie the acquisition of digital evidence while under combat conditions, they are surely capable of dealing with the civilan public during a forensic engagement.  In addition, benefits such as high-quality forensic training, the GI Bill to pursue college studies after service and the intangible of working on some of the more sensitive DF cases in the world on your CV.

If the military is not a viable option for you, then I would suggest pursuing experience via a federal law enforcement agency where you will gain the necessary (1) training; (2) support; and (3) experience to advance your DFIR career path.  Join a federal law enforcement agency early enough in your career and you could likely retire with full government benefits while pursuing your chosen field in the private sector.  A federal agency will provide the properly educated candidate with additional training in areas of evidence-handling, chain of custody, expert testimony, and an in-house support network to further enhance your skills.

In these first two, options you will not require “special” state-level licensing as I referenced in my December 17, 2012, post. Typically military and law enforcement are exempt from such requirements as long as the individuals are pursuing their official duties.

Remembering that we are introducing the next generation of DFIR analysts to the field, I would suggest one pursue a career in DFIR in the private sector. In doing so, obtain experience and credentials in the following areas in order to become a candidate for those junior-level positions:

  • Bachelors’ Degree in a technical field – Computer Science, Math, Engineering, etc.
  • Broad-based IT related certifications – from providers like (ISC)2, CompTIA
  • A good understanding of networking – from Cisco or CompTIA
  • Be familiar with at least one scripting language – this is more about structure than mechanics though both are good
  • Be familiar with at least two operating systems – Windows plus MacOS X, Linux, or other Unix-based OS
  • Incident handling / digital forensic certification – from  The International Society of Forensic Computer Examiners®SANS/GIAC
  • Any investigative experience where evidence handling procedures are established and followed

Of course these are guidelines oriented to the beginner into the field; those seasoned IT professionals with 10+ years experience as a network engineer, SysAdmin, etc. could likely substitue that experience in some of the areas mentioned above.

My recommendations in the private sector would be the security operations center of a major telco/ISP, an incident response service provider or a multi-national company with more than 10,000 users and strong information security practice. I do not want to get to specific here, but I think you make your own judgement on what would be a good fit for your situation.

In closing I want to be clear – no one certification (or degree) will make you an DFIR analyst / examiner / investigator; however, the items listed above will help you make the short-list from an employer’s perspective.  As told to me by a now retired 28-year veteran of the FBI who led the first computer forensic case handled by the FBI, “There is no substitue for experience.”  While that may be true, gaining experience in the DFIR field takes time; expect to spend 3-5 years in an entry level position progressively working towards your goals before you have seen broad variety of cases and situations that are handled by a seasoned DFIR investigator.